Indian Counseling Company Files Criminal Complaint Against Blogger Who Informed It About A Sensitive Data Leak

from the thanks-for-the-help!-they-sued dept

For doing the company the favor of informing it about a leaky AWS bucket exposing sensitive counseling records of 300,000 Indian employees, the company — 1to1Help — has filed a criminal complaint against the person who brought the situation to its attention.

In the middle of May, a researcher came across the exposed data and informed Dissent Doe of DataBreaches.net about their findings. After verifying the leak, Dissent Doe began trying to contact 1to1Help to inform it of the leak. No response was received until over a month later, possibly prompted by Dissent Doe contacting a large American company that was a customer of 1to1Help.

The slow response was blamed on internal email routing. Here’s some of what was seen in the exposed bucket:

In looking at the plaintext counseling logs, I saw counseling logs for employees of Cognizant, IBM, HP, Capgemini, Dell, Oracle, and Microsoft.

[…]

There was more than 280,000 records in the users’ table, and more than 300,000 records, total, in the exposed bucket. As of the time of this posting, we have not been told for how long the bucket was exposed. Nor do we yet know how many unique IP addresses may have accessed and/or downloaded the data. What we do know is that contact information for employees of business and financial sector firms was freely available — as was sensitive information for some of them that might be used by miscreants for spearphishing or even extortion.

Data on employees included their first and last names, their username, their email address, their password (in plaintext in some tables), their telephone number, IP address, gender, and their relationship status.

Keep in mind that 1to1Help is a counseling firm that provides mental and physical health services to customers. That gives you some idea just how sensitive this information is, especially when bundled with the usual PII and personal email addresses.

The contact person at 1to1Help sent an email detailing the steps the company had taken, as well as preventative measures deployed to prevent further leaks in the future. Unfortunately, 1to1Help’s Anil Bisht also tried to talk Dissent Doe out of writing about this leak.

As a small India based business (where there is no 911 support for threats and suicides, and where until recently suicide was criminalized) it has been an uphill battle to popularize and gain acceptance for counselling. By publishing specifics, this would bring about a general mistrust and discourage employees from reaching out to counselling firms such as ourselves. This in turn would be detrimental to the users and may even lead to loss of life. We cannot emphasize the impact of this enough.

[…]

We once again thank you for your time in interacting with us and respect that your interest is in safeguarding the users. May we once again request you to desist from publishing & securely delete any user data that you may have.

Doe refused, stating that she would not be covering up the leak. Nor would she delete the data until full disclosure was made by 1to1Help.

Because of this refusal to cover up 1to1Help’s screw-up, the company has decided to take legal action against Doe and her site by filing a criminal complaint in India. It has already managed to secure an injunction against the site forbidding it from publishing… an article that has already been published.

The injunction was issued by a civil court in Bangaluru on August 6th — five days after I published my report on the leak. The plaintiffs are seeking a permanent injunction that would bar me and my site:

– from disclosing, publishing or broadcasting the schedule data or any part thereof; and

– from publishing or broadcasting any report or article on the breach of the schedule data as threatened (sic) in their emails dated 11/06/2019, 14/07/2019 and 30/07/2019 addressed to the plaintiff;

The suit also seeks to direct Domain People to block the website of DataBreaches.net.

As Doe notes, it appears 1to1Help’s lawyers made a number of self-serving omissions when filing this complaint. First, they failed to point out the article had already been published, which would have allowed the court to review the content and see if it actually violated the law.

Second, the lawyers claimed Doe’s site was “rogue,” due to it containing no contact information for Doe. They were either wrong or lying, as Doe’s site does contain a contact number and she is reachable via social media and other venues, having spent more than a decade covering security breaches.

Finally, 1to1Help claimed in its filing that Doe tried to blackmail it by giving Anil Bisht deadlines to respond for comment before publication. That’s called journalism, not blackmail, and either its lawyers can’t comprehend that or willfully misportrayed this extremely common process to the court.

The problem isn’t the person reporting the leak. The problem is the leak and the company that took its time responding to the problem and then decided to take legal action when the person reporting the leak refused to cover it up.

This leak was not the fault of databreaches.net or the researcher who found it and provided data to this site. This leak was the responsibility of the entity responsible for securing the data properly but who did not encrypt it, who failed to detect their own error, and who then ignored multiple attempts to notify them that they had a leak.

What if I hadn’t persisted in trying to notify them? Their filing notes that they were contacted by a client on June 27. Whom do you think notified that client? It was this blogger and this site — still trying to get 1to1Help.net to address the leak. Not to toot our own horn, but if it wasn’t for this site’s persistence, they’d still be exposing sensitive data that the whole world could be downloading. And yet the company wants me charged criminally and got an injunction to try to censor me from reporting on their security incident?

This is far too common a response and it’s certainly not limited to India, where the legal system is often used to target speech complainants don’t like. Doe resides in the United States, so the First Amendment protects everything she’s written, even from a company halfway around the world that doesn’t like its lax security discussed in public.

Filed Under: , , , , ,
Companies: 1to1help

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Indian Counseling Company Files Criminal Complaint Against Blogger Who Informed It About A Sensitive Data Leak”

Subscribe: RSS Leave a comment
21 Comments
Get off my cyber-lawn! (profile) says:

Typical

Doe – pounding on door and yelling "Your apartment is on fire!"

1to1 – "Thanks but please don’t tell the neighbors"

Doe – "No, that would be reckless and stupid"

1to1- "We’re calling the police to have you arrested for disturbing the peace and attempting to blackmail us by telling our neighbors that our apartment is on fire!"

Indian Court – "Not only shouldn’t you have told the neighbors about the fire, but you aren’t allowed to tell anyone else about it going forward!"

Tin-Foil-Hat says:

Automated Process

Perhaps a anonymous automated process should be developed where vulnerabilities can be reported to the company. Once the process begins the information is provided to the public after ten days (or whatever). The company can respond and the initial report can be deactivated in a variety of ways plus a general expiration of the report. That way the company can take action or not but at least the person who reports the issue doen’t have to take the risk that the company is run by idiots and/or assholes.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...